javascript.allow.mailnews defaults to false in my copy of 2.0.0.14. It controls whether to allow JavaScript in newsgroup messages and e-mails to execute. You can double check that using tools -> options -> advanced -> general -> config editor. At one time there was a checkbox in tools -> options to set that preference but it was removed in later versions, and disabled by default.

I couldn't find the advisory you are talking about. The latest one at http://www.mozilla.org/security/#Security_Alerts states "Security Update (May 1, 2008): A security update has been issued for Thunderbird that fixes moderate security vulnerabilities when JavaScript is enabled in mail. All users should install this security and stability update." (i.e. 2.0.0.14)

Guest

Guest

Posted July 16th, 2008, 8:26 pm

Thanks for the help. I checked mine and it is also at False (default, no doubt).

It's in the MFSA announcement that you are referring to, just underneath the description:

Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.